Checkpoint Profile VPN

Check Point™IPSec Interoperability

October 2003

OverviewThis document describes how to configure Check Point VPN-1/FireWall-1 to implement the scenarios described in the VPN Consortium’s interoperability specification (http://www.vpnc.org/interopProfiles.html).

In This Document

Network Configuration

Network Configuration Overview

FIGURE 1 shows the network configuration for both scenarios.

FIGURE 1 Scenario 1 Network Configuration

In VPN-1/FireWall-1, there are two methods by which a VPN can be configured:

• simplified method — VPN communities

A VPN community is a group of gateways that encrypt all communications among themselves, according to parameters defined for the VPN community as a whole. There is no need to define encryption rules in the Security Policy Rule Base — membership in the community implies encryption.

• traditional method

Using the traditional method, the administrator defines the encryption parameters for each gateway and the encryption rules in the Security Policy Rule Base.

This document describes how to configure the scenarios using the simplified configuration method.

Network Configuration page 1

Scenario 1 Configuration page 2

Scenario 2 Configuration page 18

Gateway A Gateway B(Check Point

VPN-1/FireWall-1 installed)(Check Point

VPN-1/FireWall-1 NOT installed)

Gateway Bis an interoperable device

Gateway Ais a Check Point gateway

network A10.5.6.0/24

network B172.23.9.0/24

interface AL10.5.6.1

interface AW14.15.16.17

interface BW22.23.24.25

interface BL172.23.9.1

Internet

http://www.vpnc.org/interop.html

http://www.vpnc.org/InteropProfiles/

Scenario 1 Configuration


Scenario 1 Configuration Overview

TABLE 1 summarizes each of the phase 1 and phase 2 parameters in this scenario and specifies how they are set.

Note - The step-by-step instructions in the following sections assume the reader has a working knowledge of Check Point VPN-1/FireWall-1, and only the parameters directly related to the scenarios are described in detail.

TABLE 1 Scenario 1 — Phase 1 and Phase 2 parameters

parameter defined in...

phase 1

Main mode default

Triple DES Select 3DES under Perform key exchange encryption with under IKE (Phase 1)

Properties in the VPN Community’s VPN Properties page (FIGURE 23 on page 14).

SHA-1 Select SHA-1 under Perform data integrity with under IKE (Phase 1) Properties in the VPN Community’s VPN Properties page (FIGURE 23 on page 14).

MODP group 2 Select Group 2 (1024 bit) in Use Diffie-Hellman group under IKE (Phase 1) in the VPN Community’s Advanced VPN Properties page (FIGURE 24 on page 15).

pre-shared secret • Enable for the VPN Community by checking Use only Shared Secret for all

External members in the VPN Community’s Shared Secret page (FIGURE 25 on page 16).

• Define a pre-shared secret for Gateway B in the Shared Secret page (FIGURE 26 on page 16).

SA lifetime Specify a value for Renegotiate IKE security associations every ... minutes under IKE (Phase 1) in the VPN Community’s Advanced VPN Properties page (FIGURE 24 on page 15).

phase 2

Triple DES Select 3DES under Perform IPSec data encryption with under IKE (Phase 2)



ESP tunnel mode default; cannot be changed


page 2


Configuration Step-By-Step

To implement this scenario, you will perform the following:

• create a new policy

• define a VPN Community

• define Gateway A and add it to the VPN Community

• define Gateway B and add it to the VPN Community

• define the VPN Community’s encryption and authentication parameters

• save and install the policy

In This Section

Create a New Policy

1 Choose File-->New from the menu to create a new Policy.

Perfect Forward Secrecy Check Use Perfect Forward Secrecy under IKE (Phase 2) in the VPN Community’s Advanced VPN Properties page (FIGURE 24 on page 15).

SA lifetime Specify a value for Renegotiate IKE security associations every ... seconds under IKE (Phase 2) in the VPN Community’s Advanced VPN Properties page (FIGURE 24 on page 15).

between 10.5.6.0/24 and 172.23.9.0/24

In the Topology page of the gateway’s Properties window (for example, FIGURE 8 on page 7), select All IP addresses behind gateway based on

topology.

Create a New Policy page 3

Define a VPN Community page 4

Define Gateway A page 5

Define Gateway B page 10

Define the VPN Community Parameters page 13

Save and Install the Policy page 16

Define Routing page 17

TABLE 1 Scenario 1 — Phase 1 and Phase 2 parameters (continued)


page 3


2 In the New Policy Package window (FIGURE 2):

• Enter a name for the Policy.

• Check Security and Address Translation.

FIGURE 2 New Policy Package window

Define a VPN Community

3 Click the VPN Manager tab (FIGURE 3).

FIGURE 3 Policy tabs

page 4


4 Right click in the upper pane (below the tabs) and select New Community --> Meshed.

In the General page of the VPN Community’s Properties window (FIGURE 4), specify the name of the VPN Community.

FIGURE 4 General page of VPN Community’s Properties window

Define Gateway A

Gateway A — General Properties

5 In the object tray at the left of the screen (FIGURE 5), right-click Check Point and select New Check Point -->

Gateway.

FIGURE 5 Defining a new gateway from the tray

page 5


6 Select Classic Mode (FIGURE 6).

FIGURE 6 Gateway Creation Mode window

7 Define Gateway A as shown below (FIGURE 7).

FIGURE 7 Gateway A General Properties

page 6


Gateway A — Topology

8 Open the Topology page (FIGURE 8).

FIGURE 8 Gateway A Topology page

9 Under VPN Domain, select All IP addresses behind gateway based on topology information.

10 Click Add to define the interfaces.

11 Define interface AL as shown below (FIGURE 9).

FIGURE 9 Gateway A Interface AL Properties

page 7


12 Define interface AW as shown below (FIGURE 10).

FIGURE 10 Gateway A Interface AW Properties

Gateway A’s topology is shown in FIGURE 11.

FIGURE 11 Gateway A Topology

page 8


Gateway A — VPN

13 Open the VPN page (FIGURE 12) and click Add (under VPN).

FIGURE 12 Gateway A VPN page

In the Add This Gateway to Community window (FIGURE 13), select the VPN Community you defined earlier (FIGURE 4 on page 5) and click OK.

FIGURE 13 Add This Gateway to Community

page 9


Define Gateway B

Gateway B — General Properties

14 In the object tray at the left of the screen (FIGURE 14):

• Right-click Network Objects.

• Select New --> Interoperable Devices.

FIGURE 14 Defining an interoperable device from the object tray

15 Define Gateway B as shown below (FIGURE 15).

FIGURE 15 Gateway B General Properties

page 10



FIGURE 16 Gateway B Topology page



19 Define interface BW as shown below (FIGURE 17).

FIGURE 17 Gateway B Interface BW Properties

page 11


20 Define interface BL as shown below (FIGURE 18).

FIGURE 18 Gateway B Interface BL Properties

Gateway B — VPN


FIGURE 19 Gateway B VPN page

page 12


22 In the Add This Gateway to Community window (FIGURE 13), select the VPN Community you defined earlier (FIGURE 4 on page 5) and click OK.


Define the VPN Community Parameters

23 Double-click on the VPN Community’s icon (FIGURE 21).

FIGURE 21 VPN Communities

In the Participating Gateways page (FIGURE 22), you can see both GatewayA and GatewayB.

FIGURE 22 Participating Gateways page

page 13


24 In the VPN Properties page (FIGURE 23), set the IKE (Phase 1) and IPSec (Phase 2) properties (see TABLE 1 on page 2).

FIGURE 23 VPN Properties page

page 14


25 In the Advanced Properties page (FIGURE 24), set additional IKE (Phase 1) and IPSec (Phase 2) properties (see TABLE 1 on page 2).

FIGURE 24 Advanced Properties page

page 15


26 In the Shared Secret page (FIGURE 25), check Use only shared secrets for all external members.

FIGURE 25 Shared Secret page

27 Select Gateway B under Peer Name and click Edit.

28 Enter the pre-shared secret (“hr5xb84l6aa9r6”) and click Set.

FIGURE 26 Shared Secret window

Save and Install the Policy

29 Define a security policy that will allow the required encrypted communication. (FIGURE 27)

Add a rule using Rules -->Add rule -->top

30 Edit the rule:

VPN: Edit cell... and select Only connections encrypted in any Site-to-Site VPN Community

Note - Shared secrets can be used only when one of the gateways is not managed by Check Point.

page 16


31 Service: Specify the allowed services that are to be encrypted (eg: Authenticated Group, and icmp-proto)

32 Action: Change to Accept

33 Track: Change to Log

34 Add a final rule to drop any other communication Rules -->Add Rule -->Bottom

35 Save the Policy File -->Save

FIGURE 27 The Security Policy

36 Save the Policy.

37 Install the Policy on Gateway A.

Define Routing

38 In the Operating System, define Gateway A’s default gateway.

Configuration Complete

All communications between Gateway A and Gateway B will be encrypted.

The configuration for scenario 1 is now complete.

page 17



Scenario 2 Configuration OverviewScenario 2 is identical to scenario 1, except that identification is performed using signatures authenticated by PKIX certificates.

TABLE 2 summarizes each of the phase 1 and phase 2 parameters in this scenario and specifies how they are set.

TABLE 2 Scenario 2 — Phase 1 and Phase 2 parameters


phase 1

Main mode default

Triple DES Select 3DES under Perform key exchange encryption with under IKE (Phase 1)




PKIX certificate Create for each gateway in the VPN page of its Properties window (for example, FIGURE 41 on page 27).

SA lifetime Specify a value for Renegotiate IKE security associations every ... minutes under IKE (Phase 1) in the VPN Community’s Advanced VPN Properties page (FIGURE 53 on page 35).

phase 2

Triple DES Select 3DES under Perform IPSec data encryption with under IKE (Phase 2)



ESP tunnel mode default; cannot be changed


Perfect Forward Secrecy Check Use Perfect Forward Secrecy under IKE (Phase 2) in the VPN Community’s Advanced VPN Properties page (FIGURE 53 on page 35).

SA lifetime Specify a value for Renegotiate IKE security associations every ... seconds under IKE (Phase 2) in the VPN Community’s Advanced VPN Properties page (FIGURE 53 on page 35).

selectors for all IP protocols, all ports

In the Topology page of the gateway’s Properties window (for example, FIGURE 40 on page 26), select All IP addresses behind gateway based on

topology.

between 10.5.6.0/24 and 172.23.9.0/24

Select 3DES under Perform IPSec data encryption with under IKE (Phase 2)


page 18


Configuration Step-By-Step

To implement this scenario, you will perform the following:

• create a new policy

• define a Certificate Authority for both Gateway A and Gateway B

• define a VPN Community

• define Gateway A, generate its certificate and add the gateway to the VPN Community

• define Gateway B, generate its certificate and add the gateway to the VPN Community

• define the VPN Community’s encryption and authentication parameters

• save and install the policy

In This Section

Create a New Policy

1 Choose File-->New from the menu to create a new Policy.

Create a New Policy page 19

Define a VPN Community page 20

Define a Certificate Authority page 21

Get the Certificate Authority’s Own Certificate page 22

Define Gateway A page 23

Adding the Gateway’s Certificate page 27

Define Gateway B page 29

Define the VPN Community Parameters page 33

Advanced Properties page page 35

Define Routing page 36

page 19


2 In the New Policy Package window (FIGURE 28):

• Enter a name for the Policy.

• Check Security and Address Translation.

FIGURE 28 New Policy Package window

Define a VPN Community

3 Click the VPN Manager tab (FIGURE 29).

FIGURE 29 Policy tabs

page 20


4 Right click in the upper pane (below the tabs) and select New Community --> Meshed.

In the General page of the VPN Community’s Properties window (FIGURE 30), specify the name of the VPN Community.

FIGURE 30 General page of VPN Community’s Properties window

Define a Certificate Authority

5 From the menu, choose Manage-->Servers and OPSEC Applications.

FIGURE 31 Servers and OPSEC Applications window

page 21


6 In the Servers and OPSEC Applications window (FIGURE 31), click New and choose Certificate Authority from the menu (FIGURE 32).

FIGURE 32 New Certificate Authority

7 In the Certificate Authority Properties window (FIGURE 33), specify a name and select OPSEC PKI under Certificate Authority.

FIGURE 33 Certificate Authority Properties window — General tab

Get the Certificate Authority’s Own Certificate

8 You must now get and save the Certificate Authority’s own certificate from the Certificate Authority.

Follow the procedure defined by the Certificate Authority for this step.

page 22


9 In the OPSEC PKI tab (FIGURE 34), click Get and browse to the certificate you saved in the previous step.

FIGURE 34 Certificate Authority Properties window — OPSEC PKI tab

Define Gateway A

Gateway A — General Properties

10 In the object tray at the left of the screen (FIGURE 35), right-click Check Point and selectNew Check Point --> Gateway.

FIGURE 35 Defining a new gateway from the tray

page 23


11 Define Gateway A as shown below (FIGURE 36).

FIGURE 36 Gateway A General Properties

page 24


Gateway A — Topology


FIGURE 37 Gateway A Topology page



15 Define interface AL as shown below (FIGURE 38).

FIGURE 38 Gateway A Interface AL Properties

page 25


16 Define interface AW as shown below (FIGURE 39).

FIGURE 39 Gateway A Interface AW Properties

Gateway A’s topology is shown in FIGURE 40.

FIGURE 40 Gateway A Topology

page 26


Gateway A — VPN


FIGURE 41 Gateway A VPN page

18 In the Add This Gateway to Community window (FIGURE 42), select the VPN Community you defined earlier (FIGURE 30 on page 21) and click OK.


Adding the Gateway’s Certificate

19 In the VPN page of Gateway A’s Properties window (FIGURE 41), click Add (under Certificates) to open the Certificate Properties window (FIGURE 43).

Adding a gateways’ certificate consists of the following:

• Generating a certificate request, that is, a request for the Certificate Authority to issue a certificate for this gateway (step 22 on page 28).

• Submitting the certificate request to the Certificate Authority (step 23 on page 28).

page 27


• Getting the certificate from the Certificate Authority (after it has been issued) and saving it to a file (step 24 on page 28).

• Adding the certificate to the gateway (step 25 on page 29).

FIGURE 43 Certificate Properties window

20 Specify a nickname for the certificate.

21 Select a Certificate Authority.

22 Click Generate.

A certificate request will be created for submission to the Certificate Authority.

23 Submit the certificate request to the Certificate Authority.

The details of how to do this depend on the Certificate Authority.

24 Get the certificate from the Certificate Authority and save it in a file.

The details of how to do this depend on the Certificate Authority.

Note - The Certificate Authority “kenny” was defined earlier (see “Define a Certificate Authority” on page 21).

page 28


25 Add the certificate to the gateway by clicking Get in the Certificate Properties window (FIGURE 44) and browsing to the file you saved in the previous step.

FIGURE 44 Certificate Properties window after certificate request was generated

Define Gateway B

Gateway B — General Properties

26 In the object tray at the left of the screen (FIGURE 14), right-click Interoperable Devices and select New

Interoperable Device.

FIGURE 45 Defining an interoperable device from the object tray

page 29


27 Define Gateway B (FIGURE 46).

FIGURE 46 Gateway B General Properties

page 30



FIGURE 47 Gateway B Topology page



31 Define interface BW as shown below (FIGURE 48).

FIGURE 48 Gateway B Interface BW Properties

page 31


32 Define interface BL as shown below (FIGURE 49).

FIGURE 49 Gateway B Interface BL Properties

Gateway B — VPN

33 Generate a certificate for Gateway B in the same way you generated a certificate for Gateway A (see step 19 on page 27 through step 26 on page 29).

page 32


Define the VPN Community Parameters

34 Double-click on the VPN Community’s icon (FIGURE 50).

FIGURE 50 VPN Communities

In the Participating Gateways page (FIGURE 51), you can see both GatewayA and GatewayB.

FIGURE 51 Participating Gateways page

page 33


35 In the VPN Properties page (FIGURE 52), set the IKE (Phase 1) and IPSec (Phase 2) properties (see TABLE 1 on page 2).

FIGURE 52 VPN Properties page

page 34


36 In the Advanced Properties page (FIGURE 53), set additional IKE (Phase 1) and IPSec (Phase 2) properties (see TABLE 1 on page 2).

FIGURE 53 Advanced Properties page

37 Define a security policy that will allow the required encrypted communication. (Figure 53)

Add a rule using Rules -->Add rule -->top

38 Edit the rule:

VPN: Edit cell... and select Only connections encrypted in any Site-to-Site VPN Community

39 Service: Specify the allowed services that are to be encrypted (eg: Authenticated Group, and icmp-proto)

40 Action: Change to Accept

41 Track: Change to Log

42 Add a final rule to drop any other communication Rules -->Add Rule -->Bottom

43 Save the Policy File -->Save

FIGURE 54 The Security Policy

44 Install the Policy on Gateway A.

page 35


Define Routing

45 In the Operating System, define Gateway A’s default gateway.

Configuration Complete

All communications between Network A and Network B will now be encrypted by Gateway A and Gateway B.

The configuration for scenario 2 is now complete.

page 36

Checkpoint Profile VPN

Documents

Transcript of Checkpoint Profile VPN